What controls are included in both a HITRUST CSF Certification and HITRUST’s certification for the NIST Cybersecurity Framework?

An organization selects an appropriate set of security control requirements for its information protection program based on its organizational, system and regulatory risk factors, and it is this set of control requirements that constitute its NIST Cybersecurity Framework Target Profile. While the control requirements map to various NIST Framework Core Subcategories, the control requirements for an organization’s HITRUST CSF Certification and certification of its NIST Cybersecurity Framework implementation are the same.